Results 1  10
of
25
Foundational ProofCarrying Code
, 2001
"... Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axio ..."
Abstract

Cited by 229 (9 self)
 Add to MetaCart
Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axioms, using the simplest possible verifier and the smallest possible runtime system. I will describe many of the mathematical and engineering problems to be solved in the construction of a foundational proofcarrying code system.
An Indexed Model of Recursive Types for Foundational ProofCarrying Code
 ACM Transactions on Programming Languages and Systems
, 2000
"... The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types assuming onl ..."
Abstract

Cited by 135 (13 self)
 Add to MetaCart
The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types assuming only a fixed foundation of mathematics such as higherorder logic. Foundational PCC is both more flexible and more secure than typespecialized PCC.
A syntactic approach to foundational proofcarrying code
 In Seventeenth IEEE Symposium on Logic in Computer Science
, 2002
"... ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verifie ..."
Abstract

Cited by 94 (19 self)
 Add to MetaCart
ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no typespecific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
A Provably Sound TAL for Backend Optimization
, 2003
"... Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and impleme ..."
Abstract

Cited by 40 (9 self)
 Add to MetaCart
Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and implemented a lowlevel typed assembly language (LTAL) with a semantic model and established its soundness from the model. Compared to existing typed assembly languages, LTAL is more scalable and more secure; it has no macro instructions that hinder lowlevel optimizations such as instruction scheduling; its type constructors are expressive enough to capture dataflow information, support the compiler's choice of data representations and permit typed positionindependent code; and its typechecking algorithm is completely syntaxdirected.
A Stratified Semantics of General References Embeddable in HigherOrder Logic (Extended Abstract)
, 2002
"... Amal J. Ahmed Andrew W. Appel # Roberto Virga Princeton University {amal,appel,rvirga}@cs.princeton.edu Abstract We demonstrate a semantic model of general references  that is, mutable memory cells that may contain values of any (staticallychecked) closed type, including other references. Our mo ..."
Abstract

Cited by 30 (8 self)
 Add to MetaCart
Amal J. Ahmed Andrew W. Appel # Roberto Virga Princeton University {amal,appel,rvirga}@cs.princeton.edu Abstract We demonstrate a semantic model of general references  that is, mutable memory cells that may contain values of any (staticallychecked) closed type, including other references. Our model is in terms of execution sequences on a von Neumann machine
Certified selfmodifying code
 In Proc. 2007 ACM Conference on Programming Language Design and Implementation
, 2007
"... Selfmodifying code (SMC), in this paper, broadly refers to any program that loads, generates, or mutates code at runtime. It is widely used in many of the world’s critical software systems to support runtime code generation and optimization, dynamic loading and linking, OS boot loader, justintime ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
Selfmodifying code (SMC), in this paper, broadly refers to any program that loads, generates, or mutates code at runtime. It is widely used in many of the world’s critical software systems to support runtime code generation and optimization, dynamic loading and linking, OS boot loader, justintime compilation, binary translation, or dynamic code encryption and obfuscation. Unfortunately, SMC is also extremely difficult to reason about: existing formal verification techniques—including Hoare logic and type system— consistently assume that program code stored in memory is fixed and immutable; this severely limits their applicability and power. This paper presents a simple but novel Hoarelogiclike framework that supports modular verification of general vonNeumann machine code with runtime code manipulation. By dropping the assumption that code memory is fixed and immutable, we are forced to apply local reasoning and separation logic at the very beginning, and treat program code uniformly as regular data structure. We address the interaction between separation and code memory and show how to establish the frame rules for local reasoning even in the presence of SMC. Our framework is realistic, but designed to be highly generic, so that it can support assembly code under all modern CPUs (including both x86 and MIPS). Our system is expressive and fully mechanized. We prove its soundness in the Coq proof assistant and demonstrate its power by certifying a series of realistic examples and applications—all of which can directly run on the SPIM simulator or any stock x86 hardware. 1.
Construction of a Semantic Model for a Typed Assembly Language
 In Proc. of VMCAI ’04
, 2004
"... Typed Assembly Languages (TALs) can be used to validate the safety of assemblylanguage programs. However, typing rules are usually trusted as axioms. ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Typed Assembly Languages (TALs) can be used to validate the safety of assemblylanguage programs. However, typing rules are usually trusted as axioms.
MultiLevel MetaReasoning with Higher Order Abstract Syntax
 Foundations of Software Science and Computation Structures, volume 2620 of Lecture Notes in Computer Science
, 2003
"... Abstract. Combining Higher Order Abstract Syntax (HOAS) and (co)induction is well known to be problematic. In previous work [1] we have described the implementation of a tool called Hybrid, within Isabelle HOL, which allows object logics to be represented using HOAS, and reasoned about using tactica ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Abstract. Combining Higher Order Abstract Syntax (HOAS) and (co)induction is well known to be problematic. In previous work [1] we have described the implementation of a tool called Hybrid, within Isabelle HOL, which allows object logics to be represented using HOAS, and reasoned about using tactical theorem proving and principles of (co)induction. Moreover, it is definitional, which guarantees consistency within a classical type theory. In this paper we describe how to use it in a multilevel reasoning fashion, similar in spirit to other metalogics such F Oλ ∆IN and Twelf. By explicitly referencing provability, we solve the problem of reasoning by (co)induction in presence of nonstratifiable hypothetical judgments, which allow very elegant and succinct specifications. We demonstrate the method by formally verifying the correctness of a compiler for (a fragment) of MiniML, following [10]. To further exhibit the flexibility of our system, we modify the target language with a notion of nonwellfounded closure, inspired by Milner & Tofte [19] and formally verify via coinduction a subject reduction theorem for this modified language. 1
A gradual approach to a more trustworthy, yet scalable, proofcarrying code
 Proc.CADE18, 18th International Conference on Automated Deduction
, 2002
"... Abstract. Proofcarrying code (PCC) allows a code producer to associate to a program a machinecheckable proof of its safety. In the original approach to PCC, the safety policy includes proof rules which determine how various actions are to be proved safe. These proof rules have been considered part ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. Proofcarrying code (PCC) allows a code producer to associate to a program a machinecheckable proof of its safety. In the original approach to PCC, the safety policy includes proof rules which determine how various actions are to be proved safe. These proof rules have been considered part of the trusted code base (TCB) of the PCC system. We wish to remove the proof rules from the TCB by providing a formal proof of their soundness. This makes the PCC system more secure, by reducing the TCB; it also makes the system more flexible, by allowing code producers to provide their own safetypolicy proof rules, if they can guarantee their soundness. Furthermore this security and flexibility are gained without any loss in the ability to handle large programs. In this paper we discuss how to produce the necessary formal soundness theorem given a safety policy. As an application of the framework, we have used the Coq system to prove the soundness of the proof rules for a typebased safety policy for native machine code compiled from Java. 1